I was working on a post I decided to entitle "Don't Say I Didn't Warn You" (upcoming) when this came across the wires.  The PIN Payments Blog will follow this case closely as the ruling will set a precedent, as all rulings do.  This could be a game-changing ruling when it comes to how banks provide authentication.  As I've stated for the past 18 months, Don't Type...Swipe!  This case could result in banks being subjected to the risk, as opposed to their customers which might provide more motivation for them to take the extra steps necessary to securely authenticate their online banking customers with a 2FA 3DES DUKPT E2EE PCI 2.x Certified approach.  





This was first reported by David Johnson's Digital Media Lawyer Blog which spoke a little about the the largest precedential impact. 





"The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs' negligence cause of action. (Fn1) A major basis for their negligence claim was the theory that financial institutions have a common law duty to protect their members' or customers' confidential information against identity theft. While the Court could not find controlling State precedent on point (Indiana law applied), it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The Court then stated, "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."
Editor's Note:  If Citizens loses this case..."citizens everywhere win".... as banks will be forced to increase the security of online banking.  There is no safer way to authenticate the user than to utilize the same trusted security banks use to dispense cash at ATM's.  HomeATM provides the only 2FA 3DES DUKPT E2EE PCI 2.x Certified Solution  in two hemispheres.  The average phishing attack is $352 and that hasn't yet got the banks moving.  Maybe the threat of losing $100k+ every time one of their online customers fall victim to fraud caused by weak authentication will motivate them to invest $12.00 or so, and protect themselves AND their customers.   We'll keep ya posted!





Finextra: Court allows suit against bank for poor online security







The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards.  


A US couple who had thousands of dollars stolen from their online account have been given the go-ahead by a court to sue their bank for failing to provide adequate security.





In 2007 Marsha and Michael Shames-Yeakel fell victim to an ID thief who gained access to their Citizens Financial Bank online account and stole $26,500 from a home equity credit line.  The money was transferred, via a bank in Hawaii, to a financial institution in Austria. The Austrian bank refused to return the funds, prompting Citizens to inform the couple that they would be liable for the loss.



The Shames-Yeakel's refused to pay, leading the bank to report their account as delinquent to the national credit bureaus and threaten to foreclose on their residence. In response, the couple sued the bank on several grounds, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, in the northern district of Illinois.   They also accused the bank of negligence under state law for failing to adequately protect their online accounts.

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access." - US District Judge Rebecca Pallmeyer





The Judge also states: "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."












Reblog this post [with Zemanta]

Posted by John B. Frank Tuesday, September 8, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers